SYSTEM INFORMATION:
Dell Precision 340 Workstation
_______________________________________
Windows 2000 Professional
5.00.2195 Service Pack 4
_______________________________________
Mozilla FireFox Version: 3.6
_______________________________________
Internet Explorer Version: 6.0.2800.1106
_______________________________________
ESET NOD32 Antivirus 4.0.467.0
_______________________________________
SUPERAntiSpyware
_______________________________________
Malwarebytes' Anti-Malware
_______________________________________
SpywareBlaster version 4.2
_______________________________________
SpyBot version: 1.6.2.46
__________________________________________________________
Hi:
My system appears to be repeatedly infected by either a trojan or malware as detected by Spybot and or SpywareBlaster.
I need easy to follow step by step instructions that a computing novice can safely follow.
-------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:44 PM, on 3/5/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Siber Systems\AI RoboForm\PasswordGenerator.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238646850718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238646834468
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 7667 bytes

-------------------------------------------------------------
Problem summary:
a) Within “SpywareBlaster”: Something is REPEATEDLY Disabling Protection for “Mozilla Firefox”. At the time that I made this posting to this forum: “230 items have protection disabled”.

b)Within “Spybot”: Something is REPEATEDLY Disabling Protection for 39,734 things.
[Just One example: “Global [Hosts]” 169 things are Unprotected.]
Please be advised that until recently.............I've been using both of the aforementioned programs for a while as without any apparent issues. It appears that the machine has become recently infected.
Best Regards,
j

hi,

your log is a few days old. If you still need help reply to my post and we can get a closer look for malware. I dont use either of those two apps you mentioned so cant speak directly about them.

Hi shelf life:
Thank you for replying to my posting.
I Grrreatly appreciate Your Honesty :thanks: (in making the following statement) as it's apparently becoming a rare virtue in today's world.
You wrote:

I dont use either of those two apps you mentioned so cant speak directly about them.
Therefore, I must admit to being a bit confused or uncertain if you'll be able to help me.
I honestly don't know how to proceed.
Question: Do you think that I'll have better odds of achieving success in this technical matter......If I wait for a reply from another expert who's familiar with the two programs that I'm using?
Best Regards
J

PS. I sincerely hope that I didn't accidentally offend you with my query.

I wouldn't be able to answer any questions about those two app's directly, like if you had specific questions about them that is. I see you have several anti-malware apps. I assume they are updated and come up clean after a scan?
We will get one more download for a check. Link and directions:

download Gmer to your desktop. ( a randomly named .exe)

http://gmer.net/download.php

close any running programs.

double click the gmer icon to start Gmer:
if you get a message box that says:

warning!!
Gmer has found system modification or Rootkit Activity.......

It will ask you:
Do you want to fully scan your system?

--->select NO<---

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Now click the Scan button.

gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK

When finished click "Save" to save log to your desktop

Copy/Paste the saved Gmer log in your reply.

Hi shelf life (http://forums.spybot.info/member.php?u=1086):
I already had GMER on my desktop.
I had some difficulty and tried running it 3 or 4 times.
I hope I ran it correctly as I was unable to see your directions after closing the web browser.
First I pushed the pause button on the cable internet modem.
Then, I shut down the programs seen running in the lower bottom right hand corner of the desktop - task bar.
Then I ran GMER.
Following (each of 3-4 times) running of GMER my (repeatedly) computer experienced:
:sad: A Fatal System Error - Approximate message: Windows Logon Failed. Then the computer Shutdown and restarted.
GMER's approximate message: "Might have been caused by rootkits".

--------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-13 00:13:18
Windows 5.0.2195 Service Pack 4
Running: 9bp4udkg.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xBEA02810]
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xBEA02840]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

---- Threads - GMER 1.0.15 ----

Thread System [8:112] 88BA7930

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------
After all of these Fatal Errors........Do you think it's safe to proceed?
Best Regards,
J

Hi,
I wouldnt be to concerned about the root kit activity with all the problems running Gmer.

Try running it in safe mode. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option on the list safe mode.

While you are in safe mode you can do this first then run gmer. you might want to copy/paste it into notepad and save it so you can read it in safe mode:

-------------------------------------
using explorer(right click on start>explore) drill down to these folders and delete what you can inside the folders

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------------------
If you dont see a folder called Local Settings or any of the others then try this and look for them again:

on the Windows desktop, double-click the My Computer icon
on the Tools menu, click Folder Options.
Under the View tab, uncheck Hide file extensions for known file types.
uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Last while in safe mode try running Gmer again, save the log.
reboot normally, post the gmer log if it ran ok

Hi shelf life:
You wrote:

I wouldnt be to concerned about the root kit activity with all the problems running Gmer.
After reading your comment I'm wondering.............Do you think that I should run Microsoft's - System File Checker prior to proceeding?
Regards.
J

You can proceed as is with Gmer. you can run SFC if you want also.
have you ever reinstalled W2K?
We can also get another look with RootRepeal. Link and directions:

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

Hi shelf life:
I ran SFC.
You asked: Have you ever reinstalled W2K?
My Answer: Yes, A long time age.
You wrote:

using explorer(right click on start>explore) drill down to these folders and delete what you can inside the folders

C:\Windows\Temp\

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
-----------------------------------
Reminder: I'm using Windows 2000 Professional as my operating system.
Sadly, the above steps were not productive.

You wrote:

If you dont see a folder called Local Settings or any of the others then try this and look for them again:

on the Windows desktop, double-click the My Computer icon
on the Tools menu, click Folder Options.
Under the View tab, uncheck Hide file extensions for known file types.
uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Re: "uncheck Hide protected operating system files." Where is it?
Re: "Hidden files" folder, click Show hidden files and folders."
Please note: Under the Hidden (Folder):
There were only two choices as follows:
a) NOHIDDEN
b) SHOWALL
Please note: In place of the "a)" and "b)" there was a circle nest to each choice. There was a Dot inside of the circle next to "NOHIDDEN".
______________________________________________________________
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-15 11:48:41
Windows 5.0.2195 Service Pack 4
Running: 9bp4udkg.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
_____________________________________________________________
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/03/15 12:17
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xBE938000 Size: 90112 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xF69CC000 Size: 4096 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xF65C0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\v\Application Data\Mozilla\Firefox\Profiles\jzbmtgoq.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: D:\Socialization\MySpace_Stuff\NOTIFI~1.JPG:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
ServiceTable Hooked [0x80480a60]!

#: 016 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f58c0

#: 018 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5ee0

#: 027 Function Name: NtConnectPort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f43b0

#: 032 Function Name: NtCreateFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02870

#: 035 Function Name: NtCreateKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea00b90

#: 040 Function Name: NtCreatePort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f4060

#: 041 Function Name: NtCreateProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f14c0

#: 043 Function Name: NtCreateSection
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f0fe0

#: 046 Function Name: NtCreateThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2890

#: 052 Function Name: NtDeleteFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea032d0

#: 053 Function Name: NtDeleteKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01140

#: 055 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01a90

#: 060 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02810

#: 061 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02840

#: 086 Function Name: NtLoadKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01ee0

#: 100 Function Name: NtOpenFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02ee0

#: 103 Function Name: NtOpenKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea01380

#: 106 Function Name: NtOpenProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f22c0

#: 108 Function Name: NtOpenSection
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f1250

#: 111 Function Name: NtOpenThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2d50

#: 119 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5b70

#: 139 Function Name: NtQueryKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea027b0

#: 155 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea027e0

#: 169 Function Name: NtReplaceKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02280

#: 176 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f4f20

#: 180 Function Name: NtRestoreKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea024e0

#: 181 Function Name: NtResumeThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f3a70

#: 182 Function Name: NtSaveKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea02790

#: 186 Function Name: NtSetContextThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f31c0

#: 194 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea03590

#: 215 Function Name: NtSetValueKey
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbea013a0

#: 217 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5290

#: 221 Function Name: NtSuspendThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f38a0

#: 222 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f3700

#: 224 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2650

#: 225 Function Name: NtTerminateThread
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f2ff0

#: 240 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9f5d20

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x88bf6b20]
Process: System Address: 0x88b9d930 Size: 1744

Shadow SSDT
-------------------
#: 012 Function Name: NtGdiBeginPath
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef840

#: 297 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ed5c0

#: 300 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eec80

#: 373 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edea0

#: 390 Function Name: NtUserGetDC
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef520

#: 403 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edd70

#: 405 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edc40

#: 423 Function Name: NtUserGetWindowDC
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef6b0

#: 444 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9edfd0

#: 449 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef100

#: 459 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ee3a0

#: 460 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ee700

#: 481 Function Name: NtUserSendInput
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eea50

#: 490 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eedf0

#: 510 Function Name: NtUserSetParent
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9eef30

#: 527 Function Name: NtUserSetWindowPos
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef3f0

#: 529 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ecfb0

#: 530 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ecbf0

#: 533 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ed210

#: 536 Function Name: NtUserShowWindow
Status: Hooked by "C:\WINNT\system32\drivers\OADriver.sys" at address 0xbe9ef320

==EOF==
Regards,
j

Hi:
There's a new icon that suddenly appeared on my desktop.
It's name: "settings.dat"
Do you know what this is and can I safely delete it?
Regards,
j
PPS. How do I edit my posting?

ok thanks for all the info. you can delete the .dat file. Once logged in you would use the edit button to edit your post. I dont know if everyone can do this though. Do you see a edit button? Root repeal logs looks ok.
I havent used w2k in a while so maybe the file structure is different than what i posted. I reformat/reinstall my OS at least every year in a half or so. It can do wonders for a machine. If its been years for yours you might consider it.
Back to the problem; checking for malware.
Do a updated Superantispyware, ESET and malwarebytes come up clean after a scan?
when you say;

REPEATEDLY Disabling Protection
do you mean the protection is being disabled or turned off when you expect it to be enabled and on?

Hi shelf life:
You wrote:
Once logged in you would use the edit button to edit your post. I dont know if everyone can do this though. Do you see a edit button? It appears that I don't have a edit button. Can you assist me in changing this?
You wrote:
Do a updated Superantispyware, ESET and malwarebytes come up clean after a scan? I updated and ran all of the aforementioned programs to no avail.
Following are a portion of the results:
In the “Immunize” section of “SpyBot Search and Destroy” the following is seen:
Mozilla Firefox (default) (cookies) Unprotected = 193
Mozilla Firefox (default) (Images) Unprotected = 13,136
Mozilla Firefox (default) (Installations) Unprotected = 13,136
Mozilla Firefox (default) (Popups) Unprotected = 13,136
Global (Hosts) Unprotected = 169
After seeing the above results of the “Immunize” scan…I then typically click on “Immunize” and that temporarily fixes the problems.
However, soon thereafter something happens that causes the above problems to re-appear.

In “SpywareBlaster” Protection Status:
The following message is seen: “Some protection is not enabled. For full protection you should Enable All Protection.”
Under the “Mozilla Firefox” section it typically indicates “178” or “240” items have protection disabled.
I then typically click on “Enable All Protection” and that Temporarily appears to solve the problems.
You (and I) wrote:
when you say;
Quote: REPEATEDLY Disabling Protection
do you mean the protection is being disabled or turned off when you expect it to be enabled and on? Please note: Despite all of my repeated efforts (as outlined above)……..These problems soon re-appear.
Regards,
j

iam not sure if all members can edit there post or not. I will find out.
It looks like Spybot and Spywareblaster either are not enabled or lose there real time protection for some reason. You are using the latest software versions of each?

Hi shelf life:
You wrote:

You are using the latest software versions of each?Yes.
PS. Something appears to be Repeatedly disabling protection as otherwise afforded by “SpyBot - Search and Destroy” and or “SpywareBlaster” programs.
Regards,
j

start SpywareBlaster by clicking the icon on the desktop:
click on Updates on the left, then the 'check for updates' button
any new ones will be downloaded.
click the Protection status link
at the bottom under Quick tasks
click enable all protection.
May have to do this after it updates.
See if that helps Spywareblaster anyway

Hi shelf life:
I followed your instructions.
Please note: I regularly do the same thing - Without any progress.
Regards,
j

hi:

Some info regarding edits:

Can I edit my own posts?

1. In the Spybot-S&D forum and others, there is a 15 minute time frame to edit one's post. It lessens the chance of an answer referring to things the original poster has deleted.
2. In the Malware Removal Forum, members may not edit their posts. A helper may already be analyzing the information given.

Having a hard time finding any malware. Lets try Dr. Web and see if it can dig up anything:

Download Dr.Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) to the desktop:



* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

Hi shelf life:
I downloaded and ran (per your instructions) Dr.Web, version: 6.00.1.03150
You wrote:

* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
Please note: The “save report list” link was grayed out and not available.
Therefore, I was not able to follow the (see above) portion of your directions.
Regards,
j
PS. I found a message on the bottom left of this web page that reads: "You may not edit your posts"....Can you get this changed?

No I can't change the edit options for the malware removal forum.
did the Dr Web scan find/remove anything during the scan? Still searching for a malware cause.

Hi shelf life:
If I'm not mistaken, I think it may have either removed or Quarantined some of the Host(s). If I decide to....How can I restore them?
You wrote:

Still searching for a malware cause. I'm a bit confused........Are you asking me a question or are you making a statement?
Regards,
j

hi,

What i mean is I am still looking for malware on your machine-- as the cause that is for the problems you are having.
Not sure how you would restore the host file from within Dr web, there must be a way though. I will look. I know Spy Bot uses a custom host file and Spywareblaster may also. It may have moved these host file entries to quarantine.
Why dont you just re-immunize in Spybot and SpywareBlaster for now. I think that would re-apply any entries in the host file that may have been quarantined by Dr. Web

Hi shelf life:
If it's OK with you..........I'm placing the host(s) issue on hold for now in favor of working on the primary problem(s).
What is our next logical step?
Regards,
j

Lets go back to the Gmer log and get two files checked out. See if you can locate both of these .exe in the C:\WINNT directory. If so go to this site (http://www.virustotal.com/) and browse for the files again on your computer. Upload them to the website using the send button.
You can post the URL for each file after the scan is finished.
C:\WINNT\system32\clipsrv.exe?
C:\WINNT\system32\MSTask.exe?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-28 20:37:21
Windows 5.0.2195 Service Pack 4
Running: 9bp4udkg.exe; Driver: C:\DOCUME~1\v\LOCALS~1\Temp\pfxiipob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateKey [0xBEA02810]
SSDT \??\C:\WINNT\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwEnumerateValueKey [0xBEA02840]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)

---- Threads - GMER 1.0.15 ----

Thread System [8:112] 88BA7930

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\clipsrv.exe? (*** hidden *** ) [DISABLED] ClipSrv <-- ROOTKIT !!!
Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) Schedule <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

--------------------------------------------------------------------
___________________________________________________________
Hi,
I've been unable to find the following things using "search for files or folders":

C:\WINNT\system32\clipsrv.exe?
C:\WINNT\system32\MSTask.exe?

I believe that there's another way to search. It's been a long time......I don't recall the correct method.
Regards

To help show all files do this then take a look for them:

1. Double-click "My Computer".
2. Click the "Tools" menu and select "Options".
3. When the "Folder Options" multi-tabbed dialog box appears, select the "View" tab.
4. Uncheck "Hide protected operating system files".
5. Select the "Show hidden files and folders" radio button.
6. Press OK to close the dialog box.

Hi shelf life,
Polite reminder: I'm using Windows 2000 professional.
Unless I'm misunderstanding.........The instructions you provided may be applicable to another operating system.

Following are pictures of what my "Folder options", "View" area looks like at two different points:



http://i112.photobucket.com/albums/n196/tryout_06/Win-2k_Folder_options_view_1.jpg

http://i112.photobucket.com/albums/n196/tryout_06/Win-2k_Folder_options_view_2.jpg

What's our next logical step?
Regards

Hi shelf life,
Why would anything be hidden?
Are there any dangers or problems if we change the settings?

I guess they are hidden so people dont go messing around with them. Why dont you select the SHOWALL, click apply then ok. See what that does.
If that works we can change it all back when done.

Hi shelf life,
Busy-Sorry for the delay.
Thank you for your patience.

Hi shelf life,
Busy-Sorry for the delay.
Thank you for your patience.
j

Hi shelf life:
I followed your instructions.
Here's what I found: (Please note: These files are Not an Exact match for the file names that you mentioned. As you can see there's obviously no question mark in their names. I'm not an expert, However, these files that I located appear to be legitimate.)
clipsrv.exe
Internal Name: CLIPSRV.EXE
Company Name: Microsoft Corporation
File version: 5.0.2134.1
Description: Windows NT DDE Server
Type of file: Application
Size: 30.7 KB
Size on disk: 32.0 KB
Created: May 08, 2001
Modified: May 08, 2001
Location: C:\WINNT\system32
Copyright (C) Microsoft Corp. 1981-1999
____________________________________________________________
mstask.exe
Internal Name: TaskScheduler
Company Name: Microsoft Corporation
File version: 4.71.2195.6972
Description: Task Scheduler Engine
Type of file: Application
Size: 119 KB
Size on disk: 120 KB
Created: Tuesday, September 07, 2004, 10:59:06 AM
Modified: Tuesday, September 07, 2004, 10:59:06 AM
Location: C:\WINNT\system32
Copyright (C) Microsoft Corp. 1997
____________________________________________________________
PS. In the "Folder Options"-------> "View"........I put the settings back to:
"NOHIDDEN".

ok. thanks for the info. Those files look legit to me. As they were flagged by GMER you could get them checked out just to be sure if you want to. You can go here (http://www.virustotal.com/), browse for the files on your computer then upload them using the send button.
When the scan is done you can post the http:// for each scan in your reply.

We are not finding any malware as the cause. Maybe its a conflict between the two, (tea timer,Spybots Immunize function and spywareblaster) I am not really familiar with either one. As a experiment why dont you try disabling one of them, reboot and see if anything improves.
Other software like Superantispyware might conflict also. If you see its icon in the system tray then it is running, try disabling its real time protection component also if it has one, it may not be included in the free version. If you dont see a icon for it then it has no real time component thats running. may only be a feature of the paid version.
in other words just use one active feature, Spybot, spywareblaster or superantispyware.
And not all 3 at once.

Hi shelf life,
Thank you for the timely reply.
I did what you suggested in uploading the two files in question to Virustotal.com.........
Following are the results:

Re: clipsrv.exe
File FE1037CA103891207B4900E4A472D6009AFA0FAA.exe
File has already been analysed:
MD5: 804212b6b82354cf4f0c2d567575688a
First received: 2009.06.07 17:07:30 UTC
Date: 2009.06.07 17:07:30 UTC [>300D]
Results: 0/39
Permalink: http://www.virustotal.com/analisis/2596290e68ac34d5259b77dac23c7ba4e774fca086ac0cf47b5a60bd78efa783-1244394450

__________________________________________________
Re: mstask.exe
File has already been analysed:
MD5: b00529eae5d0ce97010b69cc677128c8
First received: 2009.02.26 02:44:29 UTC
Date: 2010.01.24 21:30:19 UTC [>68D]
Results: 0/41
Permalink: http://www.virustotal.com/analisis/79f8a8ff3ad298a053446b0ecd48df6e2f727675d7c5c1ce020371e634b37800-1264368619
_____________________________________________________________

"SpyBot - Search & Destroy"------> "Tools"------> "Resident"------> "TeaTimer" is checked.
There's also an icon (Near the clock.) on the Taskbar.
_____________________________________________________________
You wrote:

If you dont see a icon for it then it has no real time component thats running.Please note: I don't see icons for "spywareblaster" or "superantispyware" programs on the task bar. Therefore, it appears that these other programs may possibly function via a on demand only method (Just to run scans when I click on them.).

dosnt look like a malware issue. Open up FireFox and change some settings.
Iam in linux running version 3.5.8 but this should be close;

Edit>Preferences (maybe tools for you) under the privacy tab;
If you have check next to 'Clear history when firefox closes'
click on the settings button and make sure in the 'settings for clearing history'
under data that there is no check next to 'site preferences'

see attached

Hi shelf life,
I essentially followed your instructions as closely as I could guess how to.
At first glance this has apparently helped or resolved part of the issues. However, I wonder what security holes I've opened up in order to accomplish this partial result.
____________________________________________________________
There appears to be a repeating problem as follows.

Spyware Blaster, Seach & Destroy
Restricted Sites Protection
Customize the block list
The following was found unchecked (in red):
"Item name: CoolWebSearch (3650) Address: hotfiles.com"

I checked the box next to: "Item name: CoolWebSearch (3650) Address: hotfiles.com"
Then I clicked on the "Protect Against Checked Items" button.
This appears to be a Temporary fix only. It returns quickly.
I also tried going through SpywareBlater's "Custom Blocking" section. I tried entering the name of the problem(s) However, I don't have the corresponding clsid number. I did a search online and there was more than one number mentioned - Which number is the correct number. There was also mention of a program called "CWShredder" Trojan Remover 2.19.

http://i902.photobucket.com/albums/ac225/display_2010/CoolwWebSearch_hotlinkfilescom_issu.jpg

What is the exact clsid for CoolWebSearch hotfiles.com ?
Exactly which website has the exact clsid numbers?

I think you may have tried this already but i will ask again. did you try disabling Spybots tea timer. I may not have posted these instructions. I dont think they should conflict with one another, its just a experiment. Iam not seeing any malware issues as the cause, at least not with the tools we ran.
Also malware usually presents itself with certain symptoms on a computer. Are you having any signs (http://www.virusvault.us/signs.html)of malware on the machine? Did you check the Spywareblaster web site for FAQ/troubleshooting suggestions?

Iam not familiar with Spywareblaster and would suggest you stay with the default settings, use the link 'enable all protection' even though the settings are not staying set that way. Adding your own entries to the list wouldnt do any good without the correct CLSID number which ( i think) identifies activeX objects which can be used by web sites to 'interact' with Internet Explorer. I dont know of any way to find the corresponding CLSID.

To disable Tea Timer;
1.Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Check Spywareblaster for updates and re-enable all protection after the reboot. Cross fingers.

Hi shelf life,
I'm in the midst of addressing a local (time sensitive) situation.
I'll return to this thread ASAP.
Thanks again for your understanding.

Hi shelf life,
I managed to get a free moment. I accidentally came upon the following (see picture.) malware (after doing my routine update):

http://i112.photobucket.com/albums/n196/tryout_06/backdoor_Bot.jpg

After seeing the (see above) results - I clicked on "Remove selected" and re-started the computer.
Regards,
J
http://s112.photobucket.com/albums/n196/tryout_06/?action=view&current=backdoor_Bot.jpg%22%20target=%22_blank%22%3E%3Cimg%20src=%22http://i112.photobucket.com/albums/n196/tryout_06/backdoor_Bot.jpg

ok, since you 'remove selected' and restarted then that should have removed the files.

Hi shelf life,
It appears OK at the moment.
Thank you.
j

hi,

ok good. What about the issues with spywareblaster and tea timer? Still the same?

Hi Shelf life,
Re: SpywareBlaster - seems OK.
Re: Tea timer - I don't remember How to check on this issue.
Regards,
J

hi jay_j

ok good. If you have tea timer enabled and its not doing what it did when you started the thread a few pages ago then I guess its ok? Is tea timer enabled?
look here, (http://www.safer-networking.org/en/tutorial/index.html) near the bottom of the page.

Hi Shelf life,
"Tea Timer" appears to be enabled.
Thank you,
:) J

So all is looking good on your end now?

Hi shelf life:
Hope this posting finds you well.
To answer your question:
It maybe a bit too soon for me to say it's OK. However, I'm unaware of any current problems. In the end....I guess, only time will tell.
Regards,
j